CVE-2026-56335
Deferred Deferred - Pending Action

Authorization Bypass in Capgo via PostgREST API Key Exploitation

Vulnerability report for CVE-2026-56335, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: VulnCheck

Description

Capgo before 12.128.2 contains an authorization bypass vulnerability where write-scoped API keys can directly mutate protected channel configuration fields through PostgREST by exploiting a null authentication check in the immutability trigger. Attackers with write API keys can modify sensitive channel attributes such as public, allow_emulator, and security-related flags outside intended application routes.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
capgo capgo to 12.128.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-56335 is an authorization bypass vulnerability in Capgo versions before 12.128.2. It allows attackers who possess write-scoped API keys to bypass normal authentication checks and directly modify protected channel configuration fields through the PostgREST interface.

The root cause is a null authentication check in the immutability trigger, which is supposed to prevent changes to certain sensitive channel attributes. Because this check fails when the authentication user ID is null (which happens during API-key authentication), attackers can mutate fields that should be immutable, such as public visibility, emulator permissions, and other security-related flags.

This means that attackers can change sensitive channel settings outside of the intended application routes, effectively bypassing access controls.

Impact Analysis

This vulnerability can lead to unauthorized modification of sensitive channel configuration fields, which may compromise the security and intended behavior of your application.

  • Attackers with write API keys can change channel visibility settings (e.g., making private channels public).
  • They can alter emulator permissions and other security-related flags, potentially enabling unauthorized access or actions.
  • Such unauthorized changes can undermine application security policies and lead to data exposure or misuse.
Detection Guidance

This vulnerability involves unauthorized mutation of protected channel configuration fields via write-scoped API keys exploiting a null authentication check in the immutability trigger. Detection would involve monitoring API key usage and changes to sensitive channel attributes such as public visibility, allow_emulator, and security-related flags.

Specifically, detection can focus on identifying unexpected updates to protected fields through PostgREST endpoints, especially those that should be immutable except for version and updated_at.

Commands or queries to detect this might include auditing database update logs on the public.channels table for changes to protected fields by API keys with write scope, or monitoring API request logs for unauthorized mutation attempts.

  • Query the database audit logs for updates to protected fields (e.g., public, allow_emulator) in the public.channels table.
  • Monitor API request logs for write-scoped API key usage that modifies channel configuration outside intended application routes.
  • Use SQL queries to check for recent changes to immutable fields except version and updated_at, for example: SELECT * FROM public.channels WHERE updated_at > some_recent_time AND (public IS DISTINCT FROM previous_value OR allow_emulator IS DISTINCT FROM previous_value);
Mitigation Strategies

Immediate mitigation steps include upgrading Capgo to version 12.128.2 or later, where the vulnerability is fixed.

Until an upgrade can be performed, restrict or revoke write-scoped API keys that have permissions to mutate channel configuration fields.

Additionally, review and tighten Role-Level Security (RLS) policies on the public.channels table to prevent unauthorized updates by API keys.

  • Upgrade Capgo to version 12.128.2 or later.
  • Revoke or limit write-scoped API keys that can modify protected channel configuration.
  • Review and enforce stricter RLS UPDATE policies on the public.channels table.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56335. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart